Difference between revisions of "Windows Event Log (EVT)"

From ForensicsWiki
Jump to: navigation, search
(added desc. about record types)
m (fixed some typos)
Line 10: Line 10:
 
# uint32 length of record in bytes, fixed 0x30
 
# uint32 length of record in bytes, fixed 0x30
 
# char magic[4], fixed 'LfLe' (for Event log file)
 
# char magic[4], fixed 'LfLe' (for Event log file)
# uint32 unknown, fixed 0x0100 0x0000, could indicate version
+
# uint32 unknown, fixed 0x0100 0x0000, possibly indicates version
# uint32 unknown, fixed 0x0100 0x0000, could indicate version
+
# uint32 unknown, fixed 0x0100 0x0000, possibly indicates version
 
# uint32 offset of first event record
 
# uint32 offset of first event record
 
# uint32 offset of next event record
 
# uint32 offset of next event record
Line 29: Line 29:
 
* 0x0002 WRAPPED is set, flag is set if the log wrapped around.
 
* 0x0002 WRAPPED is set, flag is set if the log wrapped around.
 
* 0x0004 FULL if set, flag is set if an event record could not be written because of size limitations and the retention policy in effect.
 
* 0x0004 FULL if set, flag is set if an event record could not be written because of size limitations and the retention policy in effect.
* 0x0008 PRIMARY if set, BACKUP if unset. This flag could indicate the origin of a log file, usage seems to have changed between earlier (pre SP1) and later versions (SP4) of Windows 2000.
+
* 0x0008 PRIMARY if set, BACKUP if unset. This flag possibly depends on the origin of a log file, usage seems change between earlier (pre SP1) and later versions (SP4) of Windows 2000.
  
 
== Cursor Record ==
 
== Cursor Record ==

Revision as of 14:36, 14 March 2006

MS Windows Event Log Files


Windows typically maintains three event log files: application, system, and security. They are generally found in C:\Windows\system32\config.

Each log file consists of a Header record and the Body. The body again consists of Event records, the Cursor record and unused space. The body could form a ring buffer, where the cursor record will mark the border between the oldest and the newest event record. Unused space could be empty, slack and padding.

Header Record

  1. uint32 length of record in bytes, fixed 0x30
  2. char magic[4], fixed 'LfLe' (for Event log file)
  3. uint32 unknown, fixed 0x0100 0x0000, possibly indicates version
  4. uint32 unknown, fixed 0x0100 0x0000, possibly indicates version
  5. uint32 offset of first event record
  6. uint32 offset of next event record
  7. uint32 number of next event record
  8. uint32 number of first event record
  9. uint32 filesize (see below)
  10. uint32 flags (see below)
  11. uint32 retention period in seconds
  12. uint32 length of record in bytes (again), fixed 0x30

Offsets and record numbers are updated only during a file close operation, that is if the DIRTY flag (see below) is unset. Consult the cursor record in that case.

Filesize is updated only during some recovery operations.

Flags

  • 0x0001 DIRTY if set, flag is set after first first write after an open operation.
  • 0x0002 WRAPPED is set, flag is set if the log wrapped around.
  • 0x0004 FULL if set, flag is set if an event record could not be written because of size limitations and the retention policy in effect.
  • 0x0008 PRIMARY if set, BACKUP if unset. This flag possibly depends on the origin of a log file, usage seems change between earlier (pre SP1) and later versions (SP4) of Windows 2000.

Cursor Record

  1. uint32 length of record in bytes, fixed 0x28
  2. uint32 magic[4], fixed 0x11111111 0x22222222 0x33333333 0x44444444
  3. uint32 offset of first event record
  4. uint32 offset of next event record
  5. uint32 number of next event record
  6. uint32 number of first event record
  7. uint32 length of record in bytes, fixed 0x28

Event Record

Details of the Event record can be found in Microsoft's MSDN library under EVENTLOGRECORD.

Padding

If a log file has reached its configured size limit and the retention policy allows wrapping and the remaining size is larger than 0x38 but smaller than the event record to be written, then

  • the event log service writes the first part of the event record (to record offset 0x38)
  • filles the remaining space with a padding of 0x0027
  • continues to write the second part of the event record (starting at record offset 0x38) at the top of the body (immediately after the header, that is at file offset 0x30).